...
shibboleth.DefaultSigningCredential | Credential | Keypair used for signing, usually including a certificate |
shibboleth.DefaultEncryptionCredentials | List< Credential> | Collection of keypairs used to decrypt data sent by others (technically only the private key matters here) |
| shibboleth.DefaultSecurityConfiguration | SecurityConfiguration | Default security configuration used by all profile beans |
| shibboleth.SecurityConfiguration.SHA256 3.4 | SecurityConfiguration | Security configuration that directly incorporates the SHA-256 signing configuration |
| shiibboleth.SecurityConfiguration.SHA1 3.4 | SecurityConfiguration | Security configuration that directly incorporates the SHA-1 signing configuration |
| shibboleth.SigningConfiguration.SHA256 | BasicSignatureSigningConfiguration | Signing confguration that uses the SHA-256 digest algorithm |
| shibboleth.SigningConfiguration.SHA1 | BasicSignatureSigningConfiguration | Signing confguration that uses the SHA-1 digest algorithm |
| shibboleth.ExplicitKeySignatureTrustEngine | ExplicitKeySignatureTrustEngine | Signature verifier that relies on explicit keys in metadata |
| shibboleth.PKIXSignatureTrustEngine | PKIXSignatureTrustEngine | Signature verifier that validates certificates against PKIX rules in metadata |
| shibboleth.ChainingSignatureTrustEngine | ChainingSignatureTrustEngine | Signature verifier that chains the previous two beans together |
| shibboleth.ExplicitKeyX509TrustEngine 3.3 | Client certificate verifier that relies on explicit keys in metadata | |
| shibboleth.PKIXX509TrustEngine | PKIXX509CredentialTrustEngine | Client certificate verifier that validates certificates against PKIX rules in metadata |
| shibboleth.ChainingX509TrustEngine | ChainingTrustEngine | Client certificate verifier that chains the previous two beans together |
...
Property | Type | Default | Function |
|---|---|---|---|
idp.cookie.secure | Boolean | false | If true, all cookies issued by the IdP (not including the container) will be limited to TLS |
idp.cookie.httpOnly | Boolean | true | If true, all cookies issued by the IdP (not including the container) will contain the HttpOnly property |
idp.cookie.domain | String | Overrides the domain of any cookies issued by the IdP, not including the container | |
idp.cookie.path | String | Overrides the path of any cookies issued by the IdP, not including the container | |
idp.cookie.maxAge | Integer | 31536000 | Lifetime in seconds of cookies issued by the IdP that are meant to span sessions (365 days) |
idp.sealer.storeType | String | JCEKS | Type of Java keystore used for IdP's internal AES encryption key |
idp.sealer.updateInterval | Duration | PT15M | Time between checks for a new AES key version |
idp.sealer.aliasBase | String | secret | Case insensitive name of keystore alias prefix used in AES keystore (the entries will be suffixed by the key version number) |
idp.sealer.storeResource | Resource path | Keystore resource containing AES encryption key, usually a file path | |
idp.sealer.versionResource | Resource path | Resource that tracks the "active" AES encryption key version, usually a file path | |
idp.sealer.storePassword | String | Keystore password unlocking AES encryption keystore, typically set during installation | |
idp.sealer.keyPassword | String | Key password unlocking AES encryption key, typically set to the same as the previous property and set during installation | |
idp.signing.key | Resource path | Resource containing private key for signing, typically a file in the credentials directory | |
idp.signing.cert | Resource path | Resource containing the public key certificate inserted into signed messages, typically a file in the credentials directory | |
idp.encryption.key | Resource path | Resource containing a private key for decryption, typically a file in the credentials directory | |
idp.encryption.cert | Resource path | Resource containing a public key certificate given to others needing to encrypt data for the IdP, typically a file in the credentials directory | |
idp.encryption.key.2 | Resource path | Resource containing an alternate private key for decryption, generally unused except while changing decryption keys | |
idp.encryption.cert.2 | Resource path | Resource containing an alternate public key certificate, generally unused except while changing decryption keys | |
| idp.security.config | StringBean ID | shibboleth.DefaultSecurityConfiguration | Name of Spring bean supplying the default SecurityConfiguration |
| idp.signing.config | StringBean ID | shibboleth.SigningConfiguration.SHA256 | Name of Spring bean supplying the default SignatureSigningConfiguration |
| idp.encryption.config 3.4 | Bean ID | shibboleth.EncryptionConfiguration.CBC | Name of Spring bean supplying the default EncryptionConfiguration |
| idp.trust.signatures | StringBean ID | shibboleth.ChainingSignatureTrustEngine | Name of Spring bean for the trust engine used to verify signatures |
| idp.trust.certificates | StringBean ID | shibboleth.ChainingX509TrustEngine | Name of Spring bean for the trust engine used to verify TLS certificates |
| idp.encryption.optional | Boolean | false | If true, failure to locate an encryption key to use, when enabled, won't result in request failure |
| idp.errors.detailed | Boolean | false | If true, more detailed error information may be returned in profile responses, which could leak useful information in rare cases |
| idp.errors.signed | Boolean | true | When message signing is enabled, controls whether to sign responses that signal errors as opposed to successful outcomes |
| idp.policy.messageLifetime | Duration | PT3M | Default freshness window for accepting timestamped messages |
| idp.policy.clockSkew | Duration | PT3M | Default allowance for clock differences between systems |
| idp.artifact.secureChannel | Boolean | true | If true, skips signing/encryption when the message will be passed by reference (via artifact in SAML terms) |
...
The rest of the security-related content of a legacy relying-party.xml file is not supported and is replaced by default configuration settings. This includes all the security policy "rules" at the bottom of the file. Changing other default behaviors and most advanced options require the use of native Spring syntax and the retirement of the legacy configuration.
This notably includes controlling signing or encryption algorithms on a per-relying-party basis, although it is in some many cases possible to control this by adding extensions to an SP's metadata to get the result you need.
...
As mentioned above, when using a legacy relying-party.xml, advanced per-relying-party security configuration is not supported. However, via the use of some additional Spring wiring, one can customize the global security configuration defaults. This will affect all relying parties.
...